mirror of
https://github.com/tommytran732/Matrix.to-Docker
synced 2024-11-25 03:01:34 -05:00
Compare commits
8 Commits
3345c8bbe7
...
85adc95998
Author | SHA1 | Date | |
---|---|---|---|
85adc95998 | |||
621dbf7d82 | |||
2c88225667 | |||
f5dfb4801a | |||
7d3dd174af | |||
0924408ecd | |||
1a9dd596ed | |||
fc894556bb |
33
.github/workflows/build.yml
vendored
33
.github/workflows/build.yml
vendored
@ -9,8 +9,8 @@ on:
|
||||
paths-ignore:
|
||||
- '**.md'
|
||||
schedule:
|
||||
# Build the image regularly (each Saturday)
|
||||
- cron: '0 22 * * 6'
|
||||
# Build the image daily
|
||||
- cron: '0 0 * * *'
|
||||
|
||||
env:
|
||||
REGISTRY: ghcr.io
|
||||
@ -67,9 +67,11 @@ jobs:
|
||||
env:
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
|
||||
scan:
|
||||
name: Scan current image & report results
|
||||
trivy:
|
||||
name: Scan current image with Trivy
|
||||
needs: build
|
||||
permissions:
|
||||
security-events: write
|
||||
runs-on: "ubuntu-latest"
|
||||
steps:
|
||||
- name: Run Trivy vulnerability scanner
|
||||
@ -85,4 +87,25 @@ jobs:
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
category: 'trivy'
|
||||
|
||||
grype:
|
||||
name: Scan current image with Grype
|
||||
needs: build
|
||||
permissions:
|
||||
security-events: write
|
||||
runs-on: "ubuntu-latest"
|
||||
steps:
|
||||
- name: Run Grype vulnerability scanner
|
||||
uses: anchore/scan-action@v3
|
||||
id: grype
|
||||
with:
|
||||
image: "ghcr.io/tommytran732/matrix.to"
|
||||
fail-build: false
|
||||
|
||||
- name: Upload Grype scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.grype.outputs.sarif }}
|
||||
category: grype
|
27
.github/workflows/scan.yml
vendored
27
.github/workflows/scan.yml
vendored
@ -1,27 +0,0 @@
|
||||
name: Scan
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
# Scan the image regularly (once a day)
|
||||
- cron: '0 23 * * *'
|
||||
|
||||
jobs:
|
||||
scan:
|
||||
name: Scan current image & report results
|
||||
runs-on: "ubuntu-latest"
|
||||
steps:
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'ghcr.io/tommytran732/matrix.to'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
|
||||
vuln-type: "os,library"
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
@ -43,7 +43,9 @@ WORKDIR /home/matrix-to/matrix.to
|
||||
|
||||
RUN git apply /home/matrix-to/matrix.to/element.patch \
|
||||
&& rm -rf .git \
|
||||
&& rm -rf yarn.lock \
|
||||
&& yarn \
|
||||
&& yarn cache clean \
|
||||
&& yarn build
|
||||
|
||||
COPY --from=hmalloc-builder /tmp/hardened_malloc/out/libhardened_malloc.so /usr/local/lib/
|
||||
|
@ -11,4 +11,10 @@ This is my own Docker image building from [the official repository](https://gith
|
||||
- Don't trust random images: build yourself if you can.
|
||||
- Default Element instance is changed from [Element.io](https://app.element.io) to [ArcticFoxes.net](https://element.arcticfoxes.net)
|
||||
- The Dockerfile builds from the main branch, as releases do not come out frequently.
|
||||
- The image comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag.
|
||||
- `yarn.lock` is ignored, as upstream does not bump dependencies properly.
|
||||
|
||||
### Features & usage
|
||||
- Unprivileged image: default UID/GID is 992.
|
||||
- Based on the latest [Alpine](https://alpinelinux.org/) container which provide more recent packages while having less attack surface.
|
||||
- Daily rebuilds keeping image up-to-date.
|
||||
- Comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag, protecting against some heap-based buffer overflows.
|
Loading…
Reference in New Issue
Block a user